Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Microsoft Security Windows IT News

Flame Malware Hijacks Windows Update 268

wiredmikey writes "As more research unfolds about the recently discovered Flame malware, researchers have found three modules – named Snack, Gadget and Munch – that are used to launch what is essentially a man-in-the-middle attack against other computers on a network. As a result, Kaspersky researchers say when a machine attempts to connect to Microsoft's Windows Update, it redirects the connection through an infected machine and it sends a fake malicious Windows Update to the client. That is courtesy of a rogue Microsoft certificate that chains to the Microsoft Root Authority and improperly allows code signing. According to Symantec, the Snack module sniffs NetBIOS requests on the local network. NetBIOS name resolution allows computers to find each other on a local network via peer-to-peer, opening up an avenue for spoofing. The findings have prompted Microsoft to say that it plans to harden Windows Update against attacks in the future, though the company did not immediately reveal details as to how." And an anonymous reader adds a note that Flame's infrastructure is massive: "over 80 different C&C domains, pointed to over 18 IP addresses located in Switzerland, Germany, the Netherlands, Hong Kong, Poland, the UK, and other countries."
This discussion has been archived. No new comments can be posted.

Flame Malware Hijacks Windows Update

Comments Filter:
  • whoops (Score:5, Insightful)

    by gbjbaanb ( 229885 ) on Tuesday June 05, 2012 @01:41PM (#40222001)

    and you thought Conficker was bad!

    • OK, my notebook that still has Windows on it (out of pure laziness) has been nagging me about a security update for a couple of days, yesterday I went ahead and updated. Should I worry?

      • by The Mighty Buzzard ( 878441 ) on Tuesday June 05, 2012 @02:05PM (#40222359)

        Of course, it's running Windows.

        The preceding was meant tongue-in-cheek but even having said that there'll probably still be Linux/MS fanbois who want to take it seriously and start a flamewar.

      • by fuzzyfuzzyfungus ( 1223518 ) on Tuesday June 05, 2012 @02:19PM (#40222529) Journal
        If you are on a network that already features Flame, you should probably just wipe and reinstall now.

        Otherwise, that security update was probably Microsoft's emergency blacklisting of the signing keys that were used to make the Flame components pass as MS-signed software...
      • by Razgorov Prikazka ( 1699498 ) on Tuesday June 05, 2012 @02:22PM (#40222571)
        Well, I am not an expert on the topic but there are a few things you might want to consider before you get all overexcited on that...
        First, there are hardly any infections outside the Arab-world. (my guess is that it just takes a look at the keyboard driver in use) Going by your username you're not an Arab guy.
        Second, the virus seems to be activated by some kind of a human operator, and well... you are probably not important enough (read: high level nuke scientist or something)
        Third, this thing is in the wild since 2010, maybe even as early as 2007, and you didnt get infected in all the updates since then (I assume), or it is to late anyway.
        Fourth, you use Windows and then ask if you might catch a virus? Seriously?
        Fifth, to be absolutely safe: format your HD a couple of times, get OpenBSD on it with a strong root password (at least 128 characters), get the battery out and pack the thing in a lead box with walls at least 5 inch thick, fill the rest of the box with epoxy and bury the whole thing on a depth of at least 10 feet... on Pluto...
        • by julian67 ( 1022593 ) on Tuesday June 05, 2012 @04:07PM (#40224265)

          Iran is an Arab country now? Did anybody let them know? The rest of the comment is unfounded speculation and recycled nonsense. To everyone who modded "informative": doh!

          • Re: (Score:3, Insightful)

            by Medievalist ( 16032 )

            Iran is an Arab country now? Did anybody let them know?

            Most Americans can't understand the differences between Persia and East Boise.

            • Re: (Score:3, Funny)

              by cavreader ( 1903280 )

              Of course. Americans are all idiots but somehow stil manage to lead the world in economic, military, and computer technology. It's a mystery.

              • No mystery. Numbers.

                Even if the bell curve is skewed in the wrong direction (I'm not saying it is but many people seem to think so) the shear number of people means that there are plenty in the population near the top end of the curve capable of great innovation and there are so many at "reasonable average" levels such there is brawn and brain power available to make innovations work for the economy and feed back into the population to complete the cycle (overpowering the effect of the agents at the lowe
            • by Rinikusu ( 28164 ) on Tuesday June 05, 2012 @05:14PM (#40225267)

              Of course I know the difference between Persians and East Boisans. Persians have the annoying tendency to say "Bro" after every other word, drive Mercedes and threaten to cut your balls off if you even look at a Persian girl. East Boisans say "Y'all" after ever other word, drive Ford F150s and fantasize about their sisters.

              Greetings from LA.

            • by Kozar_The_Malignant ( 738483 ) on Tuesday June 05, 2012 @07:10PM (#40226691)
              The climate is better in Persia and there are a lot fewer Mormons.
          • by cavreader ( 1903280 ) on Tuesday June 05, 2012 @04:35PM (#40224709)

            I think it may be better to say it is an attack targeted at specific regions or countries. Kaspersky had most of the module signatures in their database over 2 years ago and decided not to flag them as active malware. Most malware programs are small in size and spend a good deal of time trying to masquerade or hide itself from virus scanners. In Flames case it was a huge program using SQLLite and other normal business related applications to do the work. It was made to look like a normal business application which basically was hiding in plain sight that virus scanners determined harmless. The guys who built Flame and Stuxnet make Anonymous and other script kiddies look ridiculously stupid. As more and more applications get flagged as malware the only thing people will be able to actually run is the OS.

        • Flame is not "Arab-centric". The tool kit exists now, and it will spread around the world. Every micro-generation has to learn the same lesson... and promptly to forget it: dump Windows. It's beyond compromised. That's why businesses and spooks like it. It defines police state software... sigh.

          • amen. I'm sure there are Russian hackers right now thinking "oh no, we can't copy Flame for our own purposes because it only attacks Arab countries".

            I wonder if a Flame variant is already out there, quietly waiting to do its thing after the fuss has died down a little? If Windwos Update tries to download a special certificate hotfix from mikrosoft.ru, I'd be reinstalling the entire OS.

        • by Nidi62 ( 1525137 )

          First, there are hardly any infections outside the Arab-world. (my guess is that it just takes a look at the keyboard driver in use) Going by your username you're not an Arab guy.

          I doubt it looks at keyboard drivers to decide who to infect. I know a lot of people here in the US that have Arab keyboard drivers on their computers that aren't Arab, or obviously even in the Middle East. I'm one of them. Pretty much any university student studying Arabic has an Arabic keyboard downloaded for their computer. Simply looking at that would cause the malware to spread way too far, and cause way too much collateral damage if it's intended to be a targeted attack.

      • No because that was the root cert revocation that MSFT released to cancel TFA. if you are truly worried about Windows update frankly there is NO reason to run it the old fashioned way, especially when you have more than one machine as it'll just be a waste of bandwidth.

        Instead just use WSUS Offline [wsusoffline.net] which will get the updates directly from MSFT using WGET and drop them in the folder of your choice, all nice and neat and complete with a simple .exe launcher. It can also take care of .NET, MSE updates, and M

        • I find it easier and more sane, if Windows is necessary, to run linux or BSD on the iron, and install Windows to a virtual machine while network isolated, no updates, no patches, no AV, though install all necessary applications that are otherwise actually useful, Office stuff, whathaveyou, have a mounted shared folder from the VM on the actual real HD for documents, and then zip the machine before plugging in the net cable. After every use, nuke the VM, unzip a new instance, a freshly clean install in a min
    • Whoever wrote Flame got legit certs from MS somehow. So it seems a bit hypocritical of MS to acting so innocent and violated at this point.

  • While they're at it (Score:5, Interesting)

    by slashmydots ( 2189826 ) on Tuesday June 05, 2012 @01:41PM (#40222003)
    The security surrounding Windows Update is rather pathetic, certificate or no certificate. It's cost me many, many extra hours and headaches, while they're "hardening up" windows update, they should also make a vastly improved repair utility for it. I hate spending all that time removing a virus from a customer computer just to find out at the end that Windows Update is irreparably broken and SFC, their own fixit tool, 3rd party mass re-registration tools, and registry utilities all cannot fix it so I have to reinstall. Considering that an OS install is classified as "totaled" if Windows Update no longer works, maybe they should protect it better AND make a flawless, end-to-end reinstaller that resets it to absolute default settings and fully repairs it.
    • by slaker ( 53818 ) on Tuesday June 05, 2012 @01:50PM (#40222135)

      I get a lot of mileage out of Windows Repair Portable [majorgeeks.com]. It restores settings for a large number of issues that don't have a regular, non-painful reset/repair/reinstall option. I've found it particularly handy for fixing the Windows Firewall and Windows updates.

      I'd prefer to do a reinstall under almost all circumstances of malware infection, but that's not always an option available for home or small business systems. I particularly dislike having to rely on Windows System Restore. I really wish modern versions of Windows had a painless repair install that would allow end users to keep programs and settings.

    • by Anonymous Coward on Tuesday June 05, 2012 @02:35PM (#40222769)

      Who repairs a windows install? Really, it's not worth anybody's time. If you're qualified enough to remove a modern rootkit with any real guarantee of future security, then the value of your time spent removing said infection is more than the total cost of a new PC. Not even remotely kidding.

      Installing windows while recovering user data is fast and easy. Modern rootkits are too good. The only reasonable course of action when you have an infection is wipe and install. - Make sure you clean the boot sector! (It's not a bad idea linux boot cd/usb flash drive and dd zeros over the first few megabytes of the drive. This will wipe out the boot sector, partition table/disk label/whatever, and any other places low level nasties generally reside. Plus, your OS installer will see a nice fresh unused drive and will feel free to lay down new partitions as it sees fit, and will not be tempted to do anything stupid like attempt a repair or upgrade)

  • by dragisha ( 788 ) <(dragisha) (at) (m3w.org)> on Tuesday June 05, 2012 @01:46PM (#40222071)

    Funny thing to say about any version of Windows.

    Question remains: how comes those people are so dumb? Being at de-facto cyberwar with a country, and still use closed source program originating from it?

    Another one: Be rich and smart enough to have a nuclear research, but not smart enough to roll its own IT infrastructure base on code they can audit?

    • Nuclear research is easy. Good software design is hard.

      (This statement meant to be both more and less tongue-in-cheek than you expect.)

      • by geekoid ( 135745 )

        "Good software design is hard."
        Not really. It's just more costly.
        We know how to build good software design.

        • by lgw ( 121541 )

          We know how to build good software design.

          For example? SE Linux is pretty good, but it's quite hard to configure, and without a good per-application config it loses its advantage.

          There are security products for Windows which achieve the same thing as SE Linux, BTW, but those too are all about the configuration. It's not that the Windows kernel is insecure, it's that people tend to run consumer software on their Windows install (and there's still too much crap "on" by default: Win2008-r2 made a large stride in the right direction there, but it sti

    • by geekoid ( 135745 )

      This is what happen when a country 'buys' into a technology. None of the infrastructure is there,.

    • Because to many people, "Windows is the computer".

      Also, there are plenty of "dumb" Americans using the same OS for the same reason.

      "Another one: Be rich and smart enough to have a nuclear research, but not smart enough to roll its own IT infrastructure base on code they can audit?"

      Uh oh......

    • Question remains: how comes those people are so dumb? Being at de-facto cyberwar with a country, and still use closed source program originating from it?

      Even Ivan took shortcuts. Read about the Savatage of the Trans-Siberian Orchestra [wikipedia.org]. (D'oh, stupid auto-complete!)

      • by dragisha ( 788 )

        Question remains: how comes those people are so dumb? Being at de-facto cyberwar with a country, and still use closed source program originating from it?

        Even Ivan took shortcuts. Read about the Savatage of the Trans-Siberian Orchestra [wikipedia.org]. (D'oh, stupid auto-complete!)

        Good reading that...

        I wonder if there's a Russian source linking Space shuttle explosions with bugs-in-stolen-code, you know, that code stolen from Russians to drive space program...

        Maybe Russians inserted FOR I = 1.100 DO... in rocket's code...

        A lot of tongue in cheek, but... cyberwar in 1982 is as credible as is Wargames scenario, Joshua playing TicTacToe... Who wants to believe - he will. Me - I like harder facts than random writing on the wall called wikipedia.

    • by Catbeller ( 118204 ) on Tuesday June 05, 2012 @05:30PM (#40225493) Homepage

      Flame is using tech that is not Stuxnet-related... this is beyond Israel's and the US's not-so-secret war with Iran. This code means that no Windows machine in the world that uses MS updating will ever be trustworthy... unless you apply a huge dose of collective amnesia and shoulder-shrugging denial.

      Question: is there a collusion between some dark back office at MS and the spooks, thru which the spooks get digitally signed certificates? Is the "bug" intentional? MS and Apple have been quietly cooperating with the FBI, NSA and the spooks almost since day one... how much? Are we just seeing the corner of the machine?

      Is Linux or BSD safe? I don't mean from a man-in-the-middle attack; I mean a man-under-your-feet attack. What if chip or mobo makers install cracks in the hardware itself, on the order of US (and Chinese) spooks? I don't think we can trust the hardware made in the last ten years or so. We may have to go to printing our mobos someday - and how then would you trust the mobo designs didn't have backdoors in their software, somehow, or in updateable firmware?

      Iran should have known better, how, and how would they get around using Windows even if they wanted to - the equipment they buy is welded to Microsoft. I doubt there are many open sourced centrifuge software packages.

      • by Necroman ( 61604 )

        Flame may not be using the same tech, but it is highly advanced and uses a lot of the same attack vectors that Stuxnet and Duqu used. It definitely wasn't developed by the team behind those 2 malware packages, but more of a parallel project that used some of the same tricks.

        It still feels very much like an NSA lead attack on the middle east.

    • by sapgau ( 413511 )

      Yes but, by highjacking a Microsoft certificate you are pretty much Fu$$ed since there is no detection UNLESS you update your root certificates.
      When was the last time we updated our root certificates without going through Windows update?

  • by Megor1 ( 621918 ) on Tuesday June 05, 2012 @01:52PM (#40222153) Homepage
    Anyone know what this is about it's in the last paragraph "It's interesting to mention that these machines mostly run Windows XP and Windows 7 32 bit, but none of them run Windows 7 64 bit, which seems impervious against this and most other malware." Is that due to driver signing requirements?
    • by Anonymous Coward on Tuesday June 05, 2012 @01:58PM (#40222251)

      Anyone know what this is about it's in the last paragraph
      "It's interesting to mention that these machines mostly run Windows XP and Windows 7 32 bit, but none of them run Windows 7 64 bit, which seems impervious against this and most other malware."

      Is that due to driver signing requirements?

      "Hardware-based DEP (Data Execution Protection), for example, is turned on for all 64-bit processes. Kernel Patch Protection (a.k.a. PatchGuard) protects access to internal operating system data structures. And device drivers must be digitally signed with a certificate issued by a trusted certificate authority. Finally, none of the large body of malware written as 32-bit drivers or any 16-bit code will run at all on 64-bit Windows."


    • by gl4ss ( 559668 )

      it might be that it's just not a target, fragmentation ftw i suppose.

      but it beats me why it wouldn't be vulnurable to the windows update with rogue cert hijack though, nothing about dep or driver signing should affect that attack vector..

      • They may have limited their attacks so that they only used attacks on systems where they could get most of their attacks to work. If one wanted the system to stay unnoticed for as long as possible, it makes sense to only target the systems that you have a really good understanding of.
    • by Myria ( 562655 ) on Tuesday June 05, 2012 @02:16PM (#40222487)

      Is that due to driver signing requirements?

      Driver signing doesn't mean squat for security. Third-party drivers with security holes and back doors are a dime a dozen, and there are even some in Microsoft drivers, of course. I have a publicly-available CPU diagnostic utility that comes with a signed 64-bit driver that allows user mode to write to any desired MSR. That easily leads to executing arbitrary code execution, most easily by changing the syscall vector. Malware that acquires administrator privileges can just install some company's vulnerable driver.

      Driver signing is really about DRM. Hollywood was strongly concerned about fake video card and sound card drivers being used to dump unencrypted content from protected sources. The proof of my statement is what happens when you boot the Vista/7/8 kernel in debug or test signing mode: everything works except Blu-Ray movies and other DRM content.

  • by frostfreek ( 647009 ) on Tuesday June 05, 2012 @02:13PM (#40222467)

    disable NetBIOS ?
    I don't think I'm using it for anything... even my printer is set up with an IP address.

    • Re:So should I... (Score:5, Informative)

      by green1 ( 322787 ) on Tuesday June 05, 2012 @02:53PM (#40223041)

      The answer to that has been a resounding yes ever since NetBIOS was introduced. It was always a windows only way of doing things that already had other non-proprietary standard ways of being accomplished. It has also been a vector for various malware over the years.

  • According to the article, they say that infected machines will respond to NetBIOS name queries for Windows Update servers. That strikes me as odd. Don't you have to enable NetBIOS for DNS resolution in the Windows NT series? And aren't traditional BIND name servers a higher protocol bind order by default?

    I thought I had read elsewhere that the problem was actually due to the insecurity of having "Automatically detect [proxy] settings" enabled for IE. When Windows Update fires off, it checks for the defa

  • Why is Windows Update using netbios? I thought the A record DNS results for update.microsoft.com and related were hard coded in the OS to prevent these sort of spoofing attacks.

    Is this something with the WSUS based updating procedure?

    • by lgw ( 121541 )

      I don't know the details of this attack, but most corporate desktops don't update from update.microsoft.com, but from an in-house update server (many big companies insist on this - they want firm control of when and which patches go out). Presumably that's the attack vector.

  • So if these things are government "cyberweapons", they are something like a cyber-landmines, with huge collateral damage. This will not go on for long.
  • by VGPowerlord ( 621254 ) on Tuesday June 05, 2012 @02:35PM (#40222765)

    I saw an article about this already on Ars Technica. However, Ars included one detail that the Slashdot and Security Week stories don't:
    Microsoft issued an emergency update [technet.com] Sunday that updated the Windows Certificate Revocation List specifically to expire the certificate used by this exploit.

  • by dave562 ( 969951 ) on Tuesday June 05, 2012 @02:47PM (#40222925) Journal

    When Windows Update was introduced, the first thought to go through my mind was, "I wonder how long until someone compromises this and uses it to push out malware." It took a lot longer than I thought.

    • Any centralized software distribution channel is vulnerable to this sort of thing if you can't keep the signing keys secure. The major fuck-up here was that those keys were leaked, and not even maliciously (e.g. by infiltrating MS or using people skills to tease them out), but out of sheer incompetence on behalf of the authors of the software that did it.

  • If this malware is part of a cyberwarfare effort by the US against Iran + Co, then isn't Microsoft - a US company - borderline committing treason by offering to patch the security hole?
    • Not to wear the tinfoil hat, but I wouldn't be absolutely shocked if MS was actually in on part of the thing. They've been accused of creating backdoors for the NSA and such, historically. So, they could conceivably issue their "fix" while working with "gub'mnt" for a different tactic or workaround.
    • You assume that the patch is effective.

  • by utkonos ( 2104836 ) on Tuesday June 05, 2012 @03:44PM (#40223865)
    The US government has admitted to authorizing stuxnet. Now it looks like Flame is probably also a government authorized weapon.

    My question is where did the money for the C&C servers come from? Those C&C domains were paid for with stolen credit cards and stolen identities. The same thing was used to purchase the VPSs used as the C&C servers. Why isn't there an outcry because the US government stole the identities and credit card numbers of private individuals to make these botnets? Where did they get these stolen identities? Did they use criminal means and buy them on the black market from other botherders? Did they just open their own files and roll the dice choosing people at random?
  • why people think it's OK to break the law, so long as you're doing it with tax dollars. Forget the other threats to the country, tolerate that long enough and you're practically begging for despotism.

"I will make no bargains with terrorist hardware." -- Peter da Silva